diff --git a/.env.example b/.env.example index 36124f8..41052b3 100644 --- a/.env.example +++ b/.env.example @@ -53,6 +53,12 @@ AUTH_TOKEN=your-secure-token-here # For production, set to your specific domain # CORS_ORIGIN=https://your-client-domain.com +# Trust proxy configuration for correct IP logging (0=disabled, 1=trust first proxy) +# Set to 1 when running behind a reverse proxy (Nginx, Traefik, etc.) +# Set to the number of proxy hops if behind multiple proxies +# Default: 0 (disabled) +# TRUST_PROXY=0 + # ========================= # N8N API CONFIGURATION # ========================= diff --git a/CLAUDE.md b/CLAUDE.md index ff6f9a0..8fa8bfe 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -6,7 +6,14 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co n8n-mcp is a comprehensive documentation and knowledge server that provides AI assistants with complete access to n8n node information through the Model Context Protocol (MCP). It serves as a bridge between n8n's workflow automation platform and AI models, enabling them to understand and work with n8n nodes effectively. -## ✅ Latest Updates (v2.7.5) +## ✅ Latest Updates (v2.7.6) + +### Update (v2.7.6) - Trust Proxy Support for Correct IP Logging: +- ✅ **NEW: TRUST_PROXY support** - Log real client IPs when behind reverse proxy +- ✅ **FIXED: Issue #19** - Docker internal IPs no longer logged when proxy configured +- ✅ **ENHANCED: HTTP deployment** - Better nginx/proxy configuration documentation +- ✅ **FLEXIBLE: Proxy hop configuration** - Support for single or multiple proxy layers +- ✅ **BACKWARD COMPATIBLE**: Defaults to current behavior when not configured ### Update (v2.7.5) - AUTH_TOKEN_FILE Support & Known Issues: - ✅ **NEW: AUTH_TOKEN_FILE support** - Read authentication token from file (Docker secrets compatible) @@ -480,6 +487,10 @@ NODE_ENV=development PORT=3000 AUTH_TOKEN=your-secure-token +# Trust proxy for correct IP logging (optional) +# Set to 1 when behind a reverse proxy (Nginx, etc.) +TRUST_PROXY=0 + # MCP Configuration MCP_SERVER_NAME=n8n-documentation-mcp MCP_SERVER_VERSION=1.0.0 diff --git a/docs/HTTP_DEPLOYMENT.md b/docs/HTTP_DEPLOYMENT.md index 71a0e0d..9b1c255 100644 --- a/docs/HTTP_DEPLOYMENT.md +++ b/docs/HTTP_DEPLOYMENT.md @@ -2,7 +2,7 @@ Deploy n8n-MCP as a remote HTTP server to provide n8n knowledge to Claude from anywhere. -📌 **Latest Version**: v2.7.2 (includes fix for n8n management tools in Docker, updated documentation) +📌 **Latest Version**: v2.7.6 (includes trust proxy support for correct IP logging behind reverse proxies) ## 🎯 Overview @@ -150,6 +150,7 @@ Skip HTTP entirely and use stdio mode directly: | `HOST` | Bind address | `0.0.0.0` | | `LOG_LEVEL` | Log verbosity | `info` | | `NODE_ENV` | Environment | `production` | +| `TRUST_PROXY` | Trust proxy headers for correct IP logging | `0` | ### n8n Management Tools (Optional) @@ -197,6 +198,35 @@ When configured, you get **16 additional tools** (total: 38 tools): ⚠️ **Security Note**: Store API keys securely and never commit them to version control. +## 🌐 Reverse Proxy Configuration + +### Trust Proxy for Correct IP Logging + +When running n8n-MCP behind a reverse proxy (Nginx, Traefik, etc.), enable trust proxy to log real client IPs instead of proxy IPs: + +```bash +# Enable trust proxy in your environment +TRUST_PROXY=1 # Trust 1 proxy hop (standard setup) +# or +TRUST_PROXY=2 # Trust 2 proxy hops (CDN → Load Balancer → n8n-mcp) +``` + +**Without TRUST_PROXY:** +``` +[INFO] GET /health { ip: '172.19.0.2' } # Docker internal IP +``` + +**With TRUST_PROXY=1:** +``` +[INFO] GET /health { ip: '203.0.113.1' } # Real client IP +``` + +This is especially important when: +- Running in Docker/Kubernetes +- Using load balancers +- Debugging client issues +- Implementing rate limiting + ## 🔐 Security Setup ### Authentication @@ -225,6 +255,10 @@ server { location /mcp { proxy_pass http://localhost:3000; proxy_set_header Authorization $http_authorization; + # Important: Forward client IP headers + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; } } ``` @@ -343,6 +377,7 @@ services: AUTH_TOKEN: ${AUTH_TOKEN:?AUTH_TOKEN required} NODE_ENV: production LOG_LEVEL: info + TRUST_PROXY: 1 # Enable if behind reverse proxy # Optional: Enable n8n management tools # N8N_API_URL: ${N8N_API_URL} # N8N_API_KEY: ${N8N_API_KEY} diff --git a/package.json b/package.json index 5254740..19ddd57 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "n8n-mcp", - "version": "2.7.5", + "version": "2.7.6", "description": "Integration between n8n workflow automation and Model Context Protocol (MCP)", "main": "dist/index.js", "scripts": { diff --git a/src/http-server-single-session.ts b/src/http-server-single-session.ts index 0fcb6a0..cd9b829 100644 --- a/src/http-server-single-session.ts +++ b/src/http-server-single-session.ts @@ -154,6 +154,13 @@ export class SingleSessionHTTPServer { async start(): Promise { const app = express(); + // Configure trust proxy for correct IP logging behind reverse proxies + const trustProxy = process.env.TRUST_PROXY ? Number(process.env.TRUST_PROXY) : 0; + if (trustProxy > 0) { + app.set('trust proxy', trustProxy); + logger.info(`Trust proxy enabled with ${trustProxy} hop(s)`); + } + // DON'T use any body parser globally - StreamableHTTPServerTransport needs raw stream // Only use JSON parser for specific endpoints that need it diff --git a/src/http-server.ts b/src/http-server.ts index 021c1bc..471a6ad 100644 --- a/src/http-server.ts +++ b/src/http-server.ts @@ -95,6 +95,13 @@ export async function startFixedHTTPServer() { const app = express(); + // Configure trust proxy for correct IP logging behind reverse proxies + const trustProxy = process.env.TRUST_PROXY ? Number(process.env.TRUST_PROXY) : 0; + if (trustProxy > 0) { + app.set('trust proxy', trustProxy); + logger.info(`Trust proxy enabled with ${trustProxy} hop(s)`); + } + // CRITICAL: Don't use any body parser - StreamableHTTPServerTransport needs raw stream // Security headers